CCISO (712-50) Executive Decision Simulation
This scenario tests your ability to identify the correct strategic stakeholders required to drive an enterprise-wide cultural shift and effectively implement security governance.
Executive Briefing
You are the CISO of OmniTrans Global, a multinational logistics corporation. The company recently suffered a near-miss ransomware incident initiated through a highly targeted spear-phishing email. In response, the Board of Directors has mandated an immediate, aggressive overhaul of the company's anti-phishing culture.
Business Context
Historically, security awareness training at OmniTrans has been treated as a "check-the-box" annual IT exercise. Business unit leaders frequently complain that excessive security testing and training modules take their teams away from core revenue-generating operations. For this new campaign to succeed, it must be embedded into the company's culture without causing unacceptable operational friction.
Decision Scenario
You are drafting the project charter for the new enterprise anti-phishing campaign. You must assemble a steering committee to oversee its development and execution. If you assemble the wrong team, the campaign will either lack technical efficacy, face severe operational resistance, or be ignored due to a lack of executive mandate.
Strategic Analysis Briefing
- The Real Problem: Security awareness campaigns fail when they are viewed purely as "IT projects." If the business does not help develop the program, they will resist its deployment, viewing it as an impediment to operational efficiency.
- Business vs. Security Perspective: Security (CISO) wants rigorous, frequent testing to lower risk. IT (CIO) is concerned with the technical delivery and network impact of the campaign. The Business wants minimal disruption to daily workflows. All perspectives must be reconciled during the development phase.
- Risk and Impact Analysis: An anti-phishing campaign requires a "Tone at the Top" (CEO) to enforce compliance. Without Business Unit Leaders, operational context is lost, leading to poorly timed rollouts that disrupt revenue. Without the CISO, the campaign lacks strategic security direction.
Why Option B is the BEST Answer:
This option encompasses the complete triad of governance required for cultural change: Executive Mandate (CEO), Technical & Security Strategy (CIO, CISO), and Operational Execution (Business Unit Leaders). Involving Business Unit Leaders in the development phase transforms them from resisters into champions of the program within their respective departments.
Why Other Options are Weaker:
- A. Business unit leaders, CIO, CEO: Missing the CISO. The Chief Information Security Officer is the primary domain expert responsible for defining the security risk and the required behavioral outcomes.
- C. All employees: While all employees will participate in the campaign, it is entirely impractical and structurally impossible to involve all employees in the strategic development and governance of the program.
- D. CFO, CEO, CIO: Missing both the CISO (security expert) and the Business Unit Leaders (operational buy-in). A top-heavy committee will fail to understand ground-level workflow disruptions.
Mini Lesson: Cross-Functional Governance & Tone at the Top
Information Security is a business problem, not an IT problem. When developing security policies or campaigns, the CISO must engage cross-functional stakeholders. "Tone at the top" means the CEO must visibly support the initiative. However, "Tone at the middle"—driven by Business Unit Leaders—is what actually dictates daily employee behavior and program adoption.
Explore more CCISO executive simulations to refine your leadership strategy.
Practice Tests →